Ex-Startup Employees: Beware of Personal Data Theft Through Outdated Google Logins!
In today’s digital age, data security for startup employees has become increasingly critical, especially following the collapse of their companies. Recent findings by security researcher Dylan Ayrey highlight that employees from failed startups face a heightened risk of having their sensitive information compromised, including private Slack messages, Social Security numbers, and even bank account details.
The Discovery by Dylan Ayrey
Dylan Ayrey, the co-founder and CEO of Truffle Security, made this alarming discovery. He is renowned for developing TruffleHog, an open-source tool that detects data leaks if malicious actors gain access to identity login tools such as API keys, passwords, and tokens.
Ayrey’s Insights at ShmooCon
Recently, at the ShmooCon security conference, Ayrey presented a significant flaw he uncovered related to Google OAuth, the technology enabling users to “Sign in with Google” without traditional passwords. This vulnerability poses a severe threat to the security of failed startups’ employees.
How the Vulnerability Works
Ayrey explained that if cybercriminals acquire the expired domains of defunct startups, they could exploit this access to log into cloud software that grants every employee entry, such as company chat or video applications. This breach could lead to:
- Accessing company directories
- Discovering former employees’ emails
- Compromising sensitive HR systems with Social Security numbers
To demonstrate the vulnerability, Ayrey purchased a domain from a failed startup and successfully logged into various platforms, including ChatGPT, Slack, Notion, and Zoom, where he accessed an HR system containing Social Security information.
The Severity of the Threat
“That’s probably the biggest threat,” Ayrey stated in an interview with TechCrunch, emphasizing that data from HR systems is simple for hackers to monetize. Social Security numbers and banking details are particularly vulnerable targets.
Moreover, Ayrey estimates that tens of thousands of former employees and millions of SaaS accounts are at risk, based on his research indicating that over 116,000 domains from failed tech startups are currently available for sale.
Prevention Measures and Limitations
Google has implemented technologies within its OAuth framework designed to mitigate these security risks, including the use of a “sub-identifier.” This unique identifier is tied to individual Google accounts. However, Ayrey discovered inconsistencies with this identifier when working with one affected SaaS HR provider, which stated it could change in rare cases (0.04%).
This statistic, while seemingly minimal, translates to hundreds of failed logins weekly for HR systems, prompting concerns about the reliability of the sub-identifier.
Google’s Changing Stance
Initially, Google dismissed Ayrey’s findings as a “fraud” issue rather than a bug. However, after Ayrey’s presentation at ShmooCon, Google reopened the case and awarded him a $1,337 bounty. This reflects a pattern, as Ayrey received similar recognition after a talk at the Black Hat cybersecurity conference in 2021.
While Google has yet to provide a technical fix for this vulnerability, they have updated their guidelines for cloud service providers to emphasize the importance of utilizing sub-identifiers. Furthermore, Google advises company founders to ensure the proper shutdown of their cloud services when closing a business.
The Importance of Proper Cloud Service Management
Ayrey understands the complexities founders face during the shutdown process. Shutting down a startup involves numerous tasks, from disposing of employee equipment to managing financial obligations, often during an emotionally challenging period.
“When the founder has to deal with shutting the company down, they’re probably not in a great head space to think about all the things they need to consider,” Ayrey noted.
For more information on data security and best practices for startup founders, visit this resource.
